Google的X509TrustManager接口的不安全实现
富念
问题内容:
问题答案:
我在Google Play中有一个应用,我收到了来自Google的邮件,内容是:
此电子邮件末尾列出的您的应用使用了X509TrustManager界面的不安全实现。具体而言,在与远程主机建立HTTPS连接时,该实现会忽略所有SSL证书验证错误,从而使您的应用容易受到中间人攻击。
为了正确处理SSL证书验证,只要服务器提供的证书不符合您的期望,请在自定义X509TrustManager接口的checkServerTrusted方法中更改代码以引发CertificateException或IllegalArgumentException。
我的应用使用“ https”,我checkServerTrusted()的如下:
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
然后我修改此功能:
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
if (chain == null) {
throw new IllegalArgumentException("checkServerTrusted: X509Certificate array is null");
}
if (!(chain.length > 0)) {
throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty");
}
if (!(null != authType && authType.equalsIgnoreCase("RSA"))) {
throw new CertificateException("checkServerTrusted: AuthType is not RSA");
}
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
自定义SSLSocketFactory:
public class MySSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");
public MySSLSocketFactory(KeyStore ctx) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
super(ctx);
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
sslContext.init(null, new TrustManager[]{tm}, null);
}
@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}
@Override
public Socket createSocket() throws IOException {
return sslContext.getSocketFactory().createSocket();
}
}
HttpClient功能:
private static HttpClient getHttpClient(int timeout) {
if (null == mHttpClient) {
try {
KeyStore trustStore = KeyStore.getInstance(KeyStore
.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
HttpParams params = new BasicHttpParams();
HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(params,
HTTP.DEFAULT_CONTENT_CHARSET);
HttpProtocolParams.setUseExpectContinue(params, true);
ConnManagerParams.setTimeout(params, timeout);
HttpConnectionParams.setConnectionTimeout(params, timeout);
HttpConnectionParams.setSoTimeout(params, timeout);
SchemeRegistry schReg = new SchemeRegistry();
schReg.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
schReg.register(new Scheme("https", sf, 443));
ClientConnectionManager conManager = new ThreadSafeClientConnManager(
params, schReg);
mHttpClient = new DefaultHttpClient(conManager, params);
} catch (Exception e) {
e.printStackTrace();
return new DefaultHttpClient();
}
}
return mHttpClient;
}
但是我对此不太了解,我只是按照电子邮件中的内容修改了代码,我认为我没有解决这个问题。这是什么警告呢?怎么解决呢?
问题答案:
我找到了这个解决方案,效果很好!
X509TrustManager:
public class EasyX509TrustManager
implements X509TrustManager {
private X509TrustManager standardTrustManager = null;
/**
* Constructor for EasyX509TrustManager.
*/
public EasyX509TrustManager(KeyStore keystore)
throws NoSuchAlgorithmException, KeyStoreException {
super();
TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
factory.init(keystore);
TrustManager[] trustmanagers = factory.getTrustManagers();
if (trustmanagers.length == 0) {
throw new NoSuchAlgorithmException("no trust manager found");
}
this.standardTrustManager = (X509TrustManager) trustmanagers[0];
}
/**
* @see X509TrustManager#checkClientTrusted(X509Certificate[], String authType)
*/
public void checkClientTrusted(X509Certificate[] certificates, String authType)
throws CertificateException {
standardTrustManager.checkClientTrusted(certificates, authType);
}
/**
* @see X509TrustManager#checkServerTrusted(X509Certificate[], String authType)
*/
public void checkServerTrusted(X509Certificate[] certificates, String authType)
throws CertificateException {
if ((certificates != null) && (certificates.length == 1)) {
certificates[0].checkValidity();
} else {
standardTrustManager.checkServerTrusted(certificates, authType);
}
}
/**
* @see X509TrustManager#getAcceptedIssuers()
*/
public X509Certificate[] getAcceptedIssuers() {
return this.standardTrustManager.getAcceptedIssuers();
}
}
SSLSocketFactory:
public class EasySSLSocketFactory implements LayeredSocketFactory {
private SSLContext sslcontext = null;
private static SSLContext createEasySSLContext() throws IOException {
try {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new TrustManager[]{new EasyX509TrustManager(
null)}, null);
return context;
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
private SSLContext getSSLContext() throws IOException {
if (this.sslcontext == null) {
this.sslcontext = createEasySSLContext();
}
return this.sslcontext;
}
/**
* @see org.apache.http.conn.scheme.SocketFactory#connectSocket(Socket,
* String, int, InetAddress, int,
* HttpParams)
*/
public Socket connectSocket(Socket sock, String host, int port,
InetAddress localAddress, int localPort, HttpParams params)
throws IOException, UnknownHostException, ConnectTimeoutException {
int connTimeout = HttpConnectionParams.getConnectionTimeout(params);
int soTimeout = HttpConnectionParams.getSoTimeout(params);
InetSocketAddress remoteAddress = new InetSocketAddress(host, port);
SSLSocket sslsock = (SSLSocket) ((sock != null) ? sock : createSocket());
if ((localAddress != null) || (localPort > 0)) {
// we need to bind explicitly
if (localPort < 0) {
localPort = 0; // indicates "any"
}
InetSocketAddress isa = new InetSocketAddress(localAddress,
localPort);
sslsock.bind(isa);
}
sslsock.connect(remoteAddress, connTimeout);
sslsock.setSoTimeout(soTimeout);
return sslsock;
}
/**
* @see org.apache.http.conn.scheme.SocketFactory#createSocket()
*/
public Socket createSocket() throws IOException {
return getSSLContext().getSocketFactory().createSocket();
}
/**
* @see org.apache.http.conn.scheme.SocketFactory#isSecure(Socket)
*/
public boolean isSecure(Socket socket) throws IllegalArgumentException {
return true;
}
/**
* @see LayeredSocketFactory#createSocket(Socket,
* String, int, boolean)
*/
public Socket createSocket(Socket socket, String host, int port,
boolean autoClose) throws IOException, UnknownHostException {
return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
}
// -------------------------------------------------------------------
// javadoc in org.apache.http.conn.scheme.SocketFactory says :
// Both Object.equals() and Object.hashCode() must be overridden
// for the correct operation of some connection managers
// -------------------------------------------------------------------
public boolean equals(Object obj) {
return ((obj != null) && obj.getClass().equals(
EasySSLSocketFactory.class));
}
public int hashCode() {
return EasySSLSocketFactory.class.hashCode();
}
}
然后:
SchemeRegistry schReg = new SchemeRegistry();
schReg.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
schReg.register(new Scheme("https", new EasySSLSocketFactory(), 443));
类似资料:
-
Google建议我在Android应用程序中有一个不安全的X509TrustManager接口实现,需要更改代码如下: 若要正确处理SSL证书验证,请更改自定义X509TrustManager接口的checkServerTrusted方法中的代码,以便在服务器提供的证书不符合预期时引发CertificateException或IllegalArgumentException。对于技术问题,您可以p
-
问题内容: 我正在尝试建立一个实现和的类。这两个接口都定义了方法,但是返回类型不同: K的类型擦除导致这两个方法签名冲突。我不能拥有它们中的一个,因为它是一个无效的覆盖,并且我不能拥有两个,因为它们具有相同的签名。有什么方法可以使这两个接口共存? 问题答案: 我认为在这种特殊情况下是不可能的。如果两个类都返回了对象类型,那么您将有机会,但是由于您混合了基本类型和对象类型,因此没有兼容的类型同时支持
-
我正在尝试使用 JDBC 函数使用 Google Apps 脚本连接到我的 MS-SQL DB。我们使用Windows集成安全性,但是当我尝试使用此参数进行连接时,我收到一条错误消息,指出它不受支持。 我已经尝试提供我的windows凭据,并使用参数“IntegratedSecurity=true”,但无法连接,尝试使用服务器IP和名称,但也不起作用。 我也尝试过这种形式: 它应该连接到服务器,但
-
大话接口隐私与安全 作为后端程序猿自己写的接口就像自己的孩子一样,尽然制造出来了,那就要对他以后的人生负责到底; 随着业务的壮大,需要支撑业务接口也越来越多,使用的用户量变大,虎视眈眈的黑客们视机而动,总是在业务中寻找着可以窃取他人利益的入口,所以我们应该多考虑安全性问题,防范于未然。 场景 服务端程序猿根据需求开发出业务相关的接口,用来满足需求中用户和服务器交互的功能,提供给前端或者客户端(P
-
当开发人员公开对内部实现对象(例如:文件,目录或数据库密钥)的引用而没有任何允许攻击者操纵这些引用来访问未授权数据的验证机制时,可能会发生直接对象引用。 通过下面每项来了解这个漏洞的威胁代理,攻击向量,安全弱点,技术影响和业务影响。 威胁代理 - 任何只能部分访问某些类型系统数据的用户。 攻击者的方法 - 攻击者是一个授权系统用户,只需将直接引用系统对象的参数值更改为用户未授权的另一个对象。 安全